[39261] in Kerberos
About the purpose of client host principals for NFS
daemon@ATHENA.MIT.EDU (Marco Rebhan via Kerberos)
Sat Oct 7 15:23:13 2023
To: kerberos@mit.edu
Date: Sat, 07 Oct 2023 21:21:23 +0200
Message-ID: <2245400.ev0DxJNslZ@invader>
MIME-Version: 1.0
From: Marco Rebhan via Kerberos <kerberos@mit.edu>
Reply-To: Marco Rebhan <me@dblsaiko.net>
Content-Type: multipart/mixed; boundary="===============2142456622829983585=="
Errors-To: kerberos-bounces@mit.edu
--===============2142456622829983585==
Content-Type: multipart/signed; boundary="nextPart3695493.AgQMKszzaT";
micalg="pgp-sha256"; protocol="application/pgp-signature"
--nextPart3695493.AgQMKszzaT
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"; protected-headers="v1"
From: Marco Rebhan <me@dblsaiko.net>
To: kerberos@mit.edu
Subject: About the purpose of client host principals for NFS
Date: Sat, 07 Oct 2023 21:21:23 +0200
Message-ID: <2245400.ev0DxJNslZ@invader>
MIME-Version: 1.0
Hey list,
I'm currently setting up Kerberos for my home network. The main motivation was
to get secure NFS, and as such I've looked at various guides on how to set it
up for that. They (for example, the Arch Wiki[1]) pretty much all tell you to
create principals for the host and NFS service for both the NFS server and
clients that want to connect.
However, after setting up the NFS server and my Linux PC like this, I tested
the whole setup with my MacBook which doesn't have a host principal or any
other krb5 configuration yet (it can find the KDC due to DNS), and to my
surprise it can both obtain a TGT for my user and afterwards also mount the
NFS share.
What purpose does the host principal for clients serve here? I assumed it
would be either used to authenticate hosts before they're allowed to obtain a
TGT, or authenticate for mounting NFS shares, but clearly that's not the case
since it works without. Is it only used so that the network share can be
mounted without a user TGT?
Thanks,
Marco
[1]: https://wiki.archlinux.org/title/Kerberos#NFS_security
--nextPart3695493.AgQMKszzaT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEUuA5X09baU5GfLYxyND744GinTYFAmUhr7MACgkQyND744Gi
nTaLEw//b2Ddhi/0UcRTAjQ1vlkJFKJ4uuqGZROFiNOOcGgT5S8eZ5CUr5gDfmrb
gxfoLWtMvItfFGIuigVimEIQkf5eeFsEkuCqFLTiyL+rGuEwEZdrxfACH3E/JDQw
Z/VHc54pu2HfBqwyMCpei0ykOzB/0qfZGMAAdXhRZ9zkNbN/D3RJ5ZlgpkzAZVwh
sOgLhk3YCs9raNrItZXgRKHTKZfB0TAaMrwFyAMEm/EzkeFXBSpeL5l08bT/j6ig
2MuJ8wK4wrdUGGEFgkRx7h5ZfI7NwwgWOuZLlhmvX1dDgqM0xZfredbl4XRoN1ei
W1qkTkuve+OiEFgG2A8W1sIIpUUvZbtJew+f5Jb9wUQ7nIqCpi5jSYnqhGdDlupV
OZErWy8u9PWv6+D6b3jkWFjLJNLwuzYFFdPdkS6CoxoB1zrAXGSezSOr/Ok7Wfbk
rKx31GFE4hfZYTOAi0ucK2GZK8xyaBYNbzVyxHUJ2tu112EhyTLresXusitq0Nn1
qSFVqScbAnmrFPBb2Q4b1to0nOBnohENA0Iof+JmnSq2G1zirEE3DVuC8Ryw8X0z
PYu7RMnF+mKfuZv/tF5br/3vQqC6eDP9zBhIb2UGmgX35gE3CWoqNxJbfg/ZN0/O
5O8VavwkV5AQu4B+jQjtXwJoU0vdHXplf/t52w4hH/WbJw2OY5E=
=5G/h
-----END PGP SIGNATURE-----
--nextPart3695493.AgQMKszzaT--
--===============2142456622829983585==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============2142456622829983585==--
